What is GDPR?
The General Data Protection Regulation becomes law in May 2018 and applies to any Organisation collecting and storing personal information (such as name and e-mail address) based anywhere in the EU or supplying goods and services to anyone in the EU.
And yes, it will apply to the UK post – Brexit.
As a direct replacement for the EU Data Protection Directive (1995) and UK Data Protection Act (1998) the main change from a marketing perspective is a move from (soft) opt- out to (double) opt-in.
What impact will it have on my business?
If your business is predominately B2B, you practice permission marketing and you have a robust CRM system in place, the answer is very little.
However, if you have a collection of business cards thrown in a box from sources unknown or you regularly buy in 3rd party lists without provenance or harvest emails from the Internet or other dubious sources and then send them unsolicited messages, then the introduction of GDPR could have severe consequences.
Fall foul of the law and you could be face a hefty fine. There is no minimum amount but the maximum is currently set at 4% of global turnover or €20m – whichever is the higher.
What will I have to do to comply?
If you currently process personal information, such as individual contact names, email address, social media posts etc – in fact, anything that could identify the person, you will be expected to practice good governance when it comes to storing and using this information.
This means putting procedures in place to minimise the risk of on- line breaches, ensuring the person has agreed to you collecting their information and that you are using it in the manner they originally agreed to.
What should I be doing now?
1. First, make sure you are registered with the Information Commissioners Office (ICO) (ico.org.uk). The current fee is £35 (no VAT) but this could change in May 2018.
2. Appoint a ‘data protection officer’ for your Organisation, responsible for the accurate processing of personal information in respect of GDPR.
3. Review your current data collection and storage procedures.
For example, if you currently collect personal details from say business cards handed to you at a networking event, or in reply to an email or other communication, then before this information is used for marketing purposes, there are several steps you should take.
Firstly, there has always been an assumption that if the person has given you or sent you their contact details then it was OK to send them (even, if they had not requested it) regular information about your Organisation and your products / services, via a marketing automation company such as Mail Chimp etc.
In most cases this was managed by a simple ‘opt out’ unsubscribe button.
In future, if you intend sending regular information to this list, they will need to double opt in. That is, firstly, making them aware that you hold information about them and for what purpose, secondly asking them if they wish to remain on your mailing list and thirdly asking their permission to continue mailing them.
In other words, good permission marketing practice.
If you store non-sensitive information about them (such as on a business card), a simple email confirming that you currently hold information about them (be specific about what it is and how you use it) with a ‘complete boxes’ form asking them to confirm their business name, email address and contact first / last names should suffice.
Article 9 of the GDPR gives details of what is classed as ‘sensitive data’
GDPR also establishes enhanced data subject rights, to include the ‘right to erasure’ This means that individuals can issue you with a subject access request to obtain details of what information you hold about them.
The big change as from May, is that you will no longer be able to charge for this ‘service’. Also, the time for responding has changed from 40 days to one month. For Organisations processing large amounts of personal data, the ICO is encouraging an on-line secure self-service system for individuals to download information directly.
‘The right to be forgotten’ is also enshrined in the new law. This enables individuals to have their personal information removed (if there is no reason for its continuing existence) or revised (if it is wrong or incomplete). They also have the right to prevent or supress the processing of their personal data (such as automatically collected via your website etc.)
In most cases, an unsubscribe button would serve this purpose.
What if I buy or rent a third-party mailing list?
The responsibility for GDPR compliance is down to you.
Here are a few action points to help you comply with the new regulations, many of which (if not all) you are probably already doing.
1. Use an accredited supplier and know the source of your list.
2. Check to see if opt- in consent has been obtained and when (during previous six months at least)
3. Make sure your ‘offer’ reflects the original purpose of the list. In other words, are you promoting same or similar products / services to that of the original list consent.
4. All contact details have been screened against suppression lists (those who don’t want to receive information)
5. You inform recipients where you obtained their contacts details from.
6. You include an unsubscribe button on all material sent.
It’s also a good idea to carry out a sample exercise to check the validity of the list.
So how will GDPR affect the marketing of my business?
Depending on how you currently use direct marketing (in particular,email),in other words, if your tactic is ‘scattergun’ rather than ‘rifle’ you may find it harder to target new Prospects. After all, one of the key purposes of GDPR is to reduce ‘Spam’ and to identify possible risks and impact of any on-line breach.
It is, therefore, vital that the ‘data protection officer’ asks the following questions:
1. Is the data we hold still relevant and ‘fit for purpose’ Bear in mind that data protection imposes ‘purpose limitation’ to ensure the information is only being used for the original purpose.
For example, if you are selling fruit and veg and that’s what the recipient knows you for, then you cannot suddenly start sending them information about renting your holiday villa in Spain unless you have asked their permission.
With GDPR, less is definitely more. Keep less information but ensure it’s accurate and relevant. Now is a good to time to clean your lists and delete old data.
2. Can we identify the original source of information? There’s no need for a CRM system (although this is highly recommended), it could simply be an Excel spreadsheet with an extra column marked ‘source’ (ie XYZ networking event DATE)
3. Have we attempted to obtain ‘permission to store / contact’ from this individual and are we practicing robust ‘permission marketing’?
4. Do we have controls and risk treatments in place to prevent on line data breaches?
Will GDPR affect my social media posting?
Unless you are in the habit of harvesting email addresses and contact details from the social media platforms and sending out unsolicited message then the answer is ‘not a lot’
What you, will have to do, however, is ensure your Terms and Conditions are updated to reflect GDPR. As social media is more of an informal nature, probably the most effective method is to ask for permission to record and store their information via a Privacy notice on your website. This will also give them an opportunity to validate their data or request its removal.
Most businesses use social media to maintain a relationship with their clients. This is an effective way of keeping them up to date, introducing them to new ideas and encouraging them to share this with the friends and followers.
This means that participation in social media activity involves a personal identifier, a ‘handle’ or name that, should the person wish, be seen by others in the public domain. This, however, does not give you the legal right to use their contact details to send them unsolicited information or store it on a CRM system.
Where can I obtain more information?
The Information Commissioners Office has a series of downloadable documents: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
We have put together a FREE checklist to help you get ready, you can download it here: FREE GDPR CHECKLIST